How to see when AD account password is changed on Mac

aaron_kelley
Contributor

Here's the scenario, 5th-12th grade have MacBook Air's. 5th grade, however, is treated differently since it is elementary school. They do not take the devices home, but rather stay in a cart in the classrooms. That being said, we set passwords for the student AD accounts according to which teacher they have and which number they are in the cart (ex. Teacher05). Since we do it this way, we do not like passwords to be changed for 5th graders...although, 6th-12th graders CAN since they carry their devices and it's more "theirs" than sitting in a device charging cart in a class.

Here's the problem, since we globally push the same preferences and settings in JSS to this same MacBook model (it's easier this way), password changing is ALLOWED on all the MacBook Air's, including my 5th grade students. While this is not a major deal, it can crop up an issue here and there. A student will change their password and then proceed to say they are locked out of said device, whether it's on purpose or they really don't remember what they changed it to. What I would like to know is if there is a way to see if that said student has changed their password (it's AD account)...whether that be through JSS or AD. It would be nice if there was a way to create a smart group or policy to see when that password change setting has been tampered with and display the device, kind of like you can set to see when an iPad has been set with a pass-code.

Any help? Suggestions? If we need to create a special "profile" to disable password changes just for 5th grade, that's fine, but I really would like to avoid separating the devices in JSS since it's so globalized already.

1 ACCEPTED SOLUTION

mpebley
New Contributor III

Here is a short one I use in my CocoaDialog/Platypus app to extract AD user info. $lookupName = your user's sAMAccountName (or UPN) defined in a variable in your script. I know there may be issues with the math on some older Windows Servers - so test and make sure the result is valid. You can also change the 'read /Search/.../...' section to point to live ActiveDirectory domain. I used the local /Search/Users/... since Directory utility keeps the connection to AD if connected. YMMV.
I'm sure someone could clean this up.

pwdLast=`dscl localhost read /Search/Users/${lookupName} SMBPasswordLastSet | /usr/bin/grep SMBPasswordLastSet: | awk '{ print $2 }' | head -1`; epochTime=`/bin/echo $((($pwdLast/10000000)-11644473600))`; pwdLast=`date -r $epochTime`

View solution in original post

2 REPLIES 2

mpebley
New Contributor III

Here is a short one I use in my CocoaDialog/Platypus app to extract AD user info. $lookupName = your user's sAMAccountName (or UPN) defined in a variable in your script. I know there may be issues with the math on some older Windows Servers - so test and make sure the result is valid. You can also change the 'read /Search/.../...' section to point to live ActiveDirectory domain. I used the local /Search/Users/... since Directory utility keeps the connection to AD if connected. YMMV.
I'm sure someone could clean this up.

pwdLast=`dscl localhost read /Search/Users/${lookupName} SMBPasswordLastSet | /usr/bin/grep SMBPasswordLastSet: | awk '{ print $2 }' | head -1`; epochTime=`/bin/echo $((($pwdLast/10000000)-11644473600))`; pwdLast=`date -r $epochTime`

geoffrepoli
Contributor

condensed into a one-liner, additionally, that one is actually printing the first password reset, as opposed to most recent.

dscl localhost read /Search/Users/$user SMBPasswordLastSet | awk 'END{printf "%.0f",($NF/10000000)-11644473600}' | xargs -I{} date -r {} "+%F %T %Z"